feat(openai): 极致优化 OAuth 链路并补齐性能守护

- 优化 /v1/responses 热路径，减少重复解析与不必要拷贝\n- 优化并发与 token 竞争路径并补齐运行指标\n- 补充 OpenAI/Ops 相关单元测试与回归用例\n- 新增灰度阈值守护与压测脚本，支撑发布验收

backend/internal/service/openai_token_provider_test.go

@@ -808,3 +808,119 @@ func TestOpenAITokenProvider_Real_NilCredentials(t *testing.T) {
 	require.Contains(t, err.Error(), "access_token not found")
 	require.Empty(t, token)
 }
+
+func TestOpenAITokenProvider_Real_LockRace_PollingHitsCache(t *testing.T) {
+	cache := newOpenAITokenCacheStub()
+	cache.lockAcquired = false // 模拟锁被其他 worker 持有
+
+	expiresAt := time.Now().Add(1 * time.Minute).Format(time.RFC3339)
+	account := &Account{
+		ID:       207,
+		Platform: PlatformOpenAI,
+		Type:     AccountTypeOAuth,
+		Credentials: map[string]any{
+			"access_token": "fallback-token",
+			"expires_at":   expiresAt,
+		},
+	}
+
+	cacheKey := OpenAITokenCacheKey(account)
+	go func() {
+		time.Sleep(5 * time.Millisecond)
+		cache.mu.Lock()
+		cache.tokens[cacheKey] = "winner-token"
+		cache.mu.Unlock()
+	}()
+
+	provider := NewOpenAITokenProvider(nil, cache, nil)
+	token, err := provider.GetAccessToken(context.Background(), account)
+	require.NoError(t, err)
+	require.Equal(t, "winner-token", token)
+}
+
+func TestOpenAITokenProvider_Real_LockRace_ContextCanceled(t *testing.T) {
+	cache := newOpenAITokenCacheStub()
+	cache.lockAcquired = false // 模拟锁被其他 worker 持有
+
+	expiresAt := time.Now().Add(1 * time.Minute).Format(time.RFC3339)
+	account := &Account{
+		ID:       208,
+		Platform: PlatformOpenAI,
+		Type:     AccountTypeOAuth,
+		Credentials: map[string]any{
+			"access_token": "fallback-token",
+			"expires_at":   expiresAt,
+		},
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel()
+
+	provider := NewOpenAITokenProvider(nil, cache, nil)
+	start := time.Now()
+	token, err := provider.GetAccessToken(ctx, account)
+	require.Error(t, err)
+	require.ErrorIs(t, err, context.Canceled)
+	require.Empty(t, token)
+	require.Less(t, time.Since(start), 50*time.Millisecond)
+}
+
+func TestOpenAITokenProvider_RuntimeMetrics_LockWaitHitAndSnapshot(t *testing.T) {
+	cache := newOpenAITokenCacheStub()
+	cache.lockAcquired = false
+
+	expiresAt := time.Now().Add(1 * time.Minute).Format(time.RFC3339)
+	account := &Account{
+		ID:       209,
+		Platform: PlatformOpenAI,
+		Type:     AccountTypeOAuth,
+		Credentials: map[string]any{
+			"access_token": "fallback-token",
+			"expires_at":   expiresAt,
+		},
+	}
+	cacheKey := OpenAITokenCacheKey(account)
+	go func() {
+		time.Sleep(10 * time.Millisecond)
+		cache.mu.Lock()
+		cache.tokens[cacheKey] = "winner-token"
+		cache.mu.Unlock()
+	}()
+
+	provider := NewOpenAITokenProvider(nil, cache, nil)
+	token, err := provider.GetAccessToken(context.Background(), account)
+	require.NoError(t, err)
+	require.Equal(t, "winner-token", token)
+
+	metrics := provider.SnapshotRuntimeMetrics()
+	require.GreaterOrEqual(t, metrics.RefreshRequests, int64(1))
+	require.GreaterOrEqual(t, metrics.LockContention, int64(1))
+	require.GreaterOrEqual(t, metrics.LockWaitSamples, int64(1))
+	require.GreaterOrEqual(t, metrics.LockWaitHit, int64(1))
+	require.GreaterOrEqual(t, metrics.LockWaitTotalMs, int64(0))
+	require.GreaterOrEqual(t, metrics.LastObservedUnixMs, int64(1))
+}
+
+func TestOpenAITokenProvider_RuntimeMetrics_LockAcquireFailure(t *testing.T) {
+	cache := newOpenAITokenCacheStub()
+	cache.lockErr = errors.New("redis lock error")
+
+	expiresAt := time.Now().Add(1 * time.Minute).Format(time.RFC3339)
+	account := &Account{
+		ID:       210,
+		Platform: PlatformOpenAI,
+		Type:     AccountTypeOAuth,
+		Credentials: map[string]any{
+			"access_token": "fallback-token",
+			"expires_at":   expiresAt,
+		},
+	}
+
+	provider := NewOpenAITokenProvider(nil, cache, nil)
+	_, err := provider.GetAccessToken(context.Background(), account)
+	require.NoError(t, err)
+
+	metrics := provider.SnapshotRuntimeMetrics()
+	require.GreaterOrEqual(t, metrics.LockAcquireFailure, int64(1))
+	require.GreaterOrEqual(t, metrics.RefreshRequests, int64(1))
+}